FirstBlood-#17Stored XSS on



On 2021-05-09, smhtahsin33 reported:

Hello, I Found a Stored XSS in /drpanel/drapi/query.php?aptid=56914507 It triggers in Administrator Account.

Steps To Reproduce:**

  1. Visit http://firstbloodhackers.com:49202/book-appointment.html
  2. On the First Name Enter <marquee onstart=confirm1>XSS</marquee>
  3. Then Fillup everything and Send
  4. When the admin will visit the Appointment via /drpanel/drapi/query.php?aptid={{id}}
  5. It will popup there

Note: confirm has backticks ` in place of parenthases, the markdown is executing it as a bold text on 1

Impact: Inject Malicious Javascript

Kind Regards

P2 High

Endpoint: /drpanel/drapi/query.php?aptid=56914507

Parameter: fname

Payload: <marquee onstart=confirm`1`>XSS</marquee>


FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name

Report Feedback

@zseano

Creator & Administrator


Nice find smhtahsin33! :)


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.